About

ATLANTA -- Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

Target (TGT) said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos. (TJX).

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.

"The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and couldn't have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards aren't safe and people "should change them at this point."

Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble (BKS) and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented [and] has been done before," she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

-Ortutay contributed from San Francisco.

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Managing your Portfolio

Add a Comment

6 Comments

Filter by:

cjaneke

If the thieves were smart enough to \"steal\" 40M data profilles they are probably smart enough the untangle the pin encription. Winner gets all. However the difference between ATT\'s \"slamming and cramming\" and grand-theft thievery is waferthin. And its legal. MAYBE (????).

About 5 years ago, Target canceled my Red Card which was in good standing because I wasn't using it often enough and didn't carry a balance. Now because of this mess, I'm GLAD they did! I've shopped at Target maybe 3 times in 5 years because of their arrogance! No sympathy for Target!

It also says on here that a New York judge ruled it's ok for the NSA to spy on you.Anyone spying on you is attacking you. They are not sending you a Christmas card.It doesn't matter what part of your information information they are stealing whether its from your cell phone, computer, mail, or stealing your credit card data - it is an attack on you.